F-Secure Virus Descriptions : Netlog

    Log file Open

Then the worm enters in an infinite loop. The worm begins the loop with the generation of a random IP class C subnet address. At first the first number of the IP address is a random number between 199 and 214, but after 50 iterations in the loop the number range is from 1 to 254. Second and third numbers of the IP address are always between 1 and 254. After the IP address has been generated the worm writes this to its log file:

    Subnet  :  *.*.*.0

where an asterisk ("*") is replaced with a number.

The VBS/Netlog goes trough the entire subnet address space (1-254) and looks a share named "C" from each machine. This is the default name for a shared "C:" drive.

If the share is found, the worm maps the remote drive to local machine as "J:" drive and adds one line to the log file:

    Copying files to  :  \\*.*.*.*\C

Then it copies itself to the following locations in the remote share:

    j:\network.vbs
    j:\windows\network.vbs
    j:\windows\start menu\programs\startup\network.vbs
    j:\win95\start menu\programs\startup\network.vbs
    j:\win95\startm~1\programs\startup\network.vbs
    j:\wind95\network.vbs

By doing this it infects the remote machine. When the remote machine is restarted, the worm will be executed.

The following line will be added to the log file if files were copied:

    Successfull copy to  :  \\*.*.*.*\C

Finally the worm takes the next address in the subnet, or chooses the next random IP address and starts again.

VARIANT:

Netlog.B

This variant consists of two files. It copies itself only to:

    C:\windows\start menu\programs\startup\network.vbs
    C:\windows\start menu\programs\startup\network.exe

It maps the remote drive to local machine as "Z:" (not "J:" as the VBS/Netlog.A variant does).

When it creates the log file "c:\network.log", the added line is different as well:

    Copyright (c) 1993-1995 Microsoft Corp.

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]